From 95f768c9b0aeff7ea87f24bb7531989d4465e320 Mon Sep 17 00:00:00 2001 From: jmcshane Date: Thu, 17 Aug 2023 22:55:33 -0400 Subject: [PATCH] cmp parameter to enable git creds to be shared from repo server to the plugin Signed-off-by: jmcshane --- cmpserver/apiclient/plugin.pb.go | 292 +++++++++++++++--- cmpserver/plugin/config.go | 1 + cmpserver/plugin/plugin.go | 11 +- cmpserver/plugin/plugin.proto | 9 + .../config-management-plugins.md | 30 ++ reposerver/repository/repository.go | 23 +- test/e2e/custom_tool_test.go | 48 ++- test/e2e/testdata/cmp-gitcreds/plugin.yaml | 1 + .../testdata/cmp-gitcredstemplate/plugin.yaml | 1 + test/e2e/testdata/cmp-gitsshcreds/generate.sh | 5 + test/e2e/testdata/cmp-gitsshcreds/plugin.yaml | 11 + .../cmp-gitsshcreds/subdir/special.yaml | 0 12 files changed, 389 insertions(+), 43 deletions(-) create mode 100644 test/e2e/testdata/cmp-gitsshcreds/generate.sh create mode 100644 test/e2e/testdata/cmp-gitsshcreds/plugin.yaml create mode 100644 test/e2e/testdata/cmp-gitsshcreds/subdir/special.yaml diff --git a/cmpserver/apiclient/plugin.pb.go b/cmpserver/apiclient/plugin.pb.go index 29ebca3ae3afc1..34bfbd2eba0483 100644 --- a/cmpserver/apiclient/plugin.pb.go +++ b/cmpserver/apiclient/plugin.pb.go @@ -11,6 +11,7 @@ import ( grpc "google.golang.org/grpc" codes "google.golang.org/grpc/codes" status "google.golang.org/grpc/status" + emptypb "google.golang.org/protobuf/types/known/emptypb" io "io" math "math" math_bits "math/bits" @@ -467,6 +468,53 @@ func (m *File) GetChunk() []byte { return nil } +type CmpSettingsResponse struct { + ProvideGitCreds bool `protobuf:"varint,1,opt,name=provideGitCreds,proto3" json:"provideGitCreds,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *CmpSettingsResponse) Reset() { *m = CmpSettingsResponse{} } +func (m *CmpSettingsResponse) String() string { return proto.CompactTextString(m) } +func (*CmpSettingsResponse) ProtoMessage() {} +func (*CmpSettingsResponse) Descriptor() ([]byte, []int) { + return fileDescriptor_b21875a7079a06ed, []int{7} +} +func (m *CmpSettingsResponse) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *CmpSettingsResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_CmpSettingsResponse.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *CmpSettingsResponse) XXX_Merge(src proto.Message) { + xxx_messageInfo_CmpSettingsResponse.Merge(m, src) +} +func (m *CmpSettingsResponse) XXX_Size() int { + return m.Size() +} +func (m *CmpSettingsResponse) XXX_DiscardUnknown() { + xxx_messageInfo_CmpSettingsResponse.DiscardUnknown(m) +} + +var xxx_messageInfo_CmpSettingsResponse proto.InternalMessageInfo + +func (m *CmpSettingsResponse) GetProvideGitCreds() bool { + if m != nil { + return m.ProvideGitCreds + } + return false +} + func init() { proto.RegisterType((*AppStreamRequest)(nil), "plugin.AppStreamRequest") proto.RegisterType((*ManifestRequestMetadata)(nil), "plugin.ManifestRequestMetadata") @@ -475,48 +523,54 @@ func init() { proto.RegisterType((*RepositoryResponse)(nil), "plugin.RepositoryResponse") proto.RegisterType((*ParametersAnnouncementResponse)(nil), "plugin.ParametersAnnouncementResponse") proto.RegisterType((*File)(nil), "plugin.File") + proto.RegisterType((*CmpSettingsResponse)(nil), "plugin.CmpSettingsResponse") } func init() { proto.RegisterFile("cmpserver/plugin/plugin.proto", fileDescriptor_b21875a7079a06ed) } var fileDescriptor_b21875a7079a06ed = []byte{ - // 576 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x94, 0xdd, 0x6e, 0x12, 0x4f, - 0x14, 0xc0, 0xbb, 0x85, 0xb6, 0x70, 0x68, 0xf2, 0x27, 0x93, 0x7f, 0x74, 0x25, 0x2d, 0xe2, 0x5e, - 0x18, 0x6e, 0x84, 0x04, 0xbd, 0x35, 0xb1, 0x55, 0x6c, 0xa3, 0xc1, 0x90, 0xa9, 0x37, 0x7a, 0x37, - 0x1d, 0x0e, 0x30, 0x76, 0x77, 0x66, 0x9c, 0x99, 0xdd, 0x04, 0xbd, 0xf1, 0x3d, 0x7c, 0x00, 0x5f, - 0xc5, 0x4b, 0x1f, 0xc1, 0xf4, 0x49, 0x0c, 0xb3, 0xbb, 0x40, 0x6c, 0x8b, 0x57, 0x7b, 0x3e, 0x7f, - 0x7b, 0xbe, 0x32, 0x70, 0xcc, 0x13, 0x6d, 0xd1, 0x64, 0x68, 0xfa, 0x3a, 0x4e, 0x67, 0x42, 0x16, - 0x9f, 0x9e, 0x36, 0xca, 0x29, 0xb2, 0x9f, 0x6b, 0xad, 0xe1, 0x4c, 0xb8, 0x79, 0x7a, 0xd9, 0xe3, - 0x2a, 0xe9, 0x33, 0x33, 0x53, 0xda, 0xa8, 0x4f, 0x5e, 0x78, 0xc2, 0x27, 0xfd, 0x6c, 0xd0, 0x37, - 0xa8, 0x55, 0x81, 0xf1, 0xa2, 0x70, 0xca, 0x2c, 0x36, 0xc4, 0x1c, 0x17, 0x7d, 0x0b, 0xa0, 0x79, - 0xa2, 0xf5, 0x85, 0x33, 0xc8, 0x12, 0x8a, 0x9f, 0x53, 0xb4, 0x8e, 0x3c, 0x87, 0x5a, 0x82, 0x8e, - 0x4d, 0x98, 0x63, 0x61, 0xd0, 0x09, 0xba, 0x8d, 0xc1, 0xc3, 0x5e, 0x51, 0xc4, 0x88, 0x49, 0x31, - 0x45, 0xeb, 0x8a, 0xd0, 0x51, 0x11, 0x76, 0xbe, 0x43, 0x57, 0x29, 0x24, 0x82, 0xea, 0x54, 0xc4, - 0x18, 0xee, 0xfa, 0xd4, 0xc3, 0x32, 0xf5, 0xb5, 0x88, 0xf1, 0x7c, 0x87, 0x7a, 0xdf, 0x69, 0x1d, - 0x0e, 0x4c, 0x8e, 0x88, 0x7e, 0x04, 0x70, 0xff, 0x0e, 0x2c, 0x09, 0xe1, 0x80, 0x69, 0xfd, 0x8e, - 0x25, 0xe8, 0x0b, 0xa9, 0xd3, 0x52, 0x25, 0x6d, 0x00, 0xa6, 0x35, 0xc5, 0x78, 0xcc, 0xdc, 0xdc, - 0xff, 0xaa, 0x4e, 0x37, 0x2c, 0xa4, 0x05, 0x35, 0x3e, 0x47, 0x7e, 0x65, 0xd3, 0x24, 0xac, 0x78, - 0xef, 0x4a, 0x27, 0x04, 0xaa, 0x56, 0x7c, 0xc1, 0xb0, 0xda, 0x09, 0xba, 0x15, 0xea, 0x65, 0x12, - 0x41, 0x05, 0x65, 0x16, 0xee, 0x75, 0x2a, 0xdd, 0xc6, 0xa0, 0x59, 0xd6, 0x3c, 0x94, 0xd9, 0x50, - 0x3a, 0xb3, 0xa0, 0x4b, 0x67, 0xf4, 0x0c, 0x6a, 0xa5, 0x61, 0xc9, 0x90, 0xeb, 0xb2, 0xbc, 0x4c, - 0xfe, 0x87, 0xbd, 0x8c, 0xc5, 0x29, 0x16, 0xe5, 0xe4, 0x4a, 0x34, 0x86, 0xe6, 0xba, 0x3d, 0xab, - 0x95, 0xb4, 0x48, 0x8e, 0xa0, 0x9e, 0x14, 0x36, 0x1b, 0x06, 0x9d, 0x4a, 0xb7, 0x4e, 0xd7, 0x86, - 0x65, 0x6f, 0x56, 0xa5, 0x86, 0xe3, 0xfb, 0x85, 0x2e, 0x61, 0x1b, 0x96, 0x68, 0x0a, 0x84, 0xae, - 0x16, 0xb9, 0x62, 0x76, 0xa0, 0x21, 0xec, 0x45, 0xaa, 0xb5, 0x32, 0x0e, 0x27, 0xbe, 0xb0, 0x1a, - 0xdd, 0x34, 0x91, 0x1e, 0x10, 0x61, 0x5f, 0x09, 0xcb, 0x55, 0x86, 0x66, 0x31, 0x94, 0xec, 0x32, - 0xc6, 0x89, 0xe7, 0xd7, 0xe8, 0x2d, 0x9e, 0xe8, 0x2b, 0xb4, 0xc7, 0xcc, 0xb0, 0x04, 0x1d, 0x1a, - 0x7b, 0x22, 0xa5, 0x4a, 0x25, 0xc7, 0x04, 0xe5, 0xba, 0x8f, 0x0f, 0x70, 0x4f, 0x97, 0x11, 0x9b, - 0x01, 0x79, 0x53, 0x8d, 0xc1, 0xa3, 0xde, 0xc6, 0xc5, 0x8d, 0x6f, 0x8b, 0xa4, 0x77, 0x00, 0xa2, - 0x23, 0xa8, 0x2e, 0x2f, 0x66, 0x39, 0x54, 0x3e, 0x4f, 0xe5, 0x95, 0x6f, 0xe8, 0x90, 0xe6, 0xca, - 0xe0, 0xfb, 0x2e, 0x1c, 0xbf, 0x54, 0x72, 0x2a, 0x66, 0x23, 0x26, 0xd9, 0xcc, 0xe7, 0x8c, 0xfd, - 0xce, 0x2e, 0xd0, 0x64, 0x82, 0x23, 0x79, 0x03, 0xcd, 0x33, 0x94, 0x68, 0x98, 0xc3, 0x72, 0xfc, - 0x24, 0x2c, 0xf7, 0xfa, 0xf7, 0xc9, 0xb7, 0xc2, 0x9b, 0x07, 0x9e, 0xb7, 0x18, 0xed, 0x74, 0x03, - 0xf2, 0x16, 0xfe, 0x1b, 0x31, 0xc7, 0xe7, 0xeb, 0xa9, 0x6f, 0x41, 0xb5, 0x4a, 0xcf, 0xcd, 0x1d, - 0x79, 0x18, 0x83, 0x07, 0x67, 0xe8, 0x6e, 0x1f, 0xec, 0x16, 0xec, 0xe3, 0xd2, 0xb3, 0x7d, 0x25, - 0xcb, 0x5f, 0x9c, 0xbe, 0xf8, 0x79, 0xdd, 0x0e, 0x7e, 0x5d, 0xb7, 0x83, 0xdf, 0xd7, 0xed, 0xe0, - 0xe3, 0xe0, 0x1f, 0x4f, 0xc5, 0xfa, 0xc1, 0x61, 0x5a, 0xf0, 0x58, 0xa0, 0x74, 0x97, 0xfb, 0xfe, - 0x79, 0x78, 0xfa, 0x27, 0x00, 0x00, 0xff, 0xff, 0x23, 0x88, 0x8e, 0xd3, 0x8e, 0x04, 0x00, 0x00, + // 652 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x54, 0xcd, 0x6e, 0xd3, 0x4a, + 0x14, 0x8e, 0x9b, 0xb4, 0x4d, 0x4e, 0xaa, 0xdb, 0x68, 0xee, 0x55, 0xaf, 0x49, 0xdb, 0x10, 0xbc, + 0x40, 0xd9, 0xe0, 0x48, 0x81, 0x2d, 0x82, 0xb6, 0x84, 0x54, 0xa0, 0xa0, 0xc8, 0x61, 0x03, 0xbb, + 0x89, 0x73, 0xe2, 0x0c, 0xb5, 0x67, 0x86, 0xf1, 0xd8, 0x52, 0x60, 0xc3, 0xdb, 0xf0, 0x2a, 0x2c, + 0x79, 0x04, 0x54, 0xf1, 0x20, 0x28, 0x63, 0x3b, 0x89, 0xda, 0xb4, 0xac, 0x7c, 0xfe, 0xe6, 0x3b, + 0xdf, 0x99, 0x6f, 0x7c, 0xe0, 0xd4, 0x8f, 0x64, 0x8c, 0x2a, 0x45, 0xd5, 0x95, 0x61, 0x12, 0x30, + 0x9e, 0x7f, 0x5c, 0xa9, 0x84, 0x16, 0x64, 0x2f, 0xf3, 0x9a, 0xfd, 0x80, 0xe9, 0x79, 0x32, 0x71, + 0x7d, 0x11, 0x75, 0xa9, 0x0a, 0x84, 0x54, 0xe2, 0x93, 0x31, 0x9e, 0xf8, 0xd3, 0x6e, 0xda, 0xeb, + 0x2a, 0x94, 0x22, 0x87, 0x31, 0x26, 0xd3, 0x42, 0x2d, 0x36, 0xcc, 0x0c, 0xae, 0x79, 0x1c, 0x08, + 0x11, 0x84, 0xd8, 0x35, 0xde, 0x24, 0x99, 0x75, 0x31, 0x92, 0x3a, 0x4f, 0x3a, 0xdf, 0x2c, 0x68, + 0x9c, 0x49, 0x39, 0xd6, 0x0a, 0x69, 0xe4, 0xe1, 0xe7, 0x04, 0x63, 0x4d, 0x9e, 0x43, 0x35, 0x42, + 0x4d, 0xa7, 0x54, 0x53, 0xdb, 0x6a, 0x5b, 0x9d, 0x7a, 0xef, 0xa1, 0x9b, 0x33, 0x1c, 0x52, 0xce, + 0x66, 0x18, 0xeb, 0xbc, 0x74, 0x98, 0x97, 0x5d, 0x96, 0xbc, 0xd5, 0x11, 0xe2, 0x40, 0x65, 0xc6, + 0x42, 0xb4, 0x77, 0xcc, 0xd1, 0x83, 0xe2, 0xe8, 0x6b, 0x16, 0xe2, 0x65, 0xc9, 0x33, 0xb9, 0xf3, + 0x1a, 0xec, 0xab, 0x0c, 0xc2, 0xf9, 0x6e, 0xc1, 0xff, 0x77, 0xc0, 0x12, 0x1b, 0xf6, 0xa9, 0x94, + 0xef, 0x68, 0x84, 0x86, 0x48, 0xcd, 0x2b, 0x5c, 0xd2, 0x02, 0xa0, 0x52, 0x7a, 0x18, 0x8e, 0xa8, + 0x9e, 0x9b, 0x56, 0x35, 0x6f, 0x23, 0x42, 0x9a, 0x50, 0xf5, 0xe7, 0xe8, 0x5f, 0xc5, 0x49, 0x64, + 0x97, 0x4d, 0x76, 0xe5, 0x13, 0x02, 0x95, 0x98, 0x7d, 0x41, 0xbb, 0xd2, 0xb6, 0x3a, 0x65, 0xcf, + 0xd8, 0xc4, 0x81, 0x32, 0xf2, 0xd4, 0xde, 0x6d, 0x97, 0x3b, 0xf5, 0x5e, 0xa3, 0xe0, 0xdc, 0xe7, + 0x69, 0x9f, 0x6b, 0xb5, 0xf0, 0x96, 0x49, 0xe7, 0x19, 0x54, 0x8b, 0xc0, 0x12, 0x83, 0xaf, 0x69, + 0x19, 0x9b, 0xfc, 0x07, 0xbb, 0x29, 0x0d, 0x13, 0xcc, 0xe9, 0x64, 0x8e, 0x33, 0x82, 0xc6, 0x7a, + 0xbc, 0x58, 0x0a, 0x1e, 0x23, 0x39, 0x81, 0x5a, 0x94, 0xc7, 0x62, 0xdb, 0x6a, 0x97, 0x3b, 0x35, + 0x6f, 0x1d, 0x58, 0xce, 0x16, 0x8b, 0x44, 0xf9, 0xf8, 0x7e, 0x21, 0x0b, 0xb0, 0x8d, 0x88, 0x33, + 0x03, 0xe2, 0xad, 0x54, 0x5e, 0x61, 0xb6, 0xa1, 0xce, 0xe2, 0x71, 0x22, 0xa5, 0x50, 0x1a, 0xa7, + 0x86, 0x58, 0xd5, 0xdb, 0x0c, 0x11, 0x17, 0x08, 0x8b, 0x5f, 0xb1, 0xd8, 0x17, 0x29, 0xaa, 0x45, + 0x9f, 0xd3, 0x49, 0x88, 0x53, 0x83, 0x5f, 0xf5, 0xb6, 0x64, 0x9c, 0xaf, 0xd0, 0x1a, 0x51, 0x45, + 0x23, 0xd4, 0xa8, 0xe2, 0x33, 0xce, 0x45, 0xc2, 0x7d, 0x8c, 0x90, 0xaf, 0xe7, 0xf8, 0x00, 0x47, + 0xb2, 0xa8, 0xd8, 0x2c, 0xc8, 0x86, 0xaa, 0xf7, 0x1e, 0xb9, 0x1b, 0xcf, 0x71, 0xb4, 0xad, 0xd2, + 0xbb, 0x03, 0xc0, 0x39, 0x81, 0xca, 0xf2, 0xc5, 0x2c, 0x2f, 0xd5, 0x9f, 0x27, 0xfc, 0xca, 0x0c, + 0x74, 0xe0, 0x65, 0x8e, 0xf3, 0x02, 0xfe, 0xbd, 0x88, 0xe4, 0x18, 0xb5, 0x66, 0x3c, 0x88, 0x57, + 0x7c, 0x3a, 0x70, 0x28, 0x95, 0x48, 0xd9, 0x14, 0x07, 0x4c, 0x5f, 0x28, 0x9c, 0xc6, 0xf9, 0x3d, + 0xdc, 0x0c, 0xf7, 0x7e, 0xef, 0xc0, 0xe9, 0x85, 0xe0, 0x33, 0x16, 0x0c, 0x29, 0xa7, 0x81, 0x69, + 0x3a, 0x32, 0xa2, 0x8f, 0x51, 0xa5, 0xcc, 0x47, 0xf2, 0x06, 0x1a, 0x03, 0xe4, 0xa8, 0xa8, 0xc6, + 0x42, 0x3f, 0x62, 0x17, 0x0f, 0xe3, 0xe6, 0x3f, 0xd3, 0xb4, 0x6f, 0xff, 0x21, 0x19, 0x27, 0xa7, + 0xd4, 0xb1, 0xc8, 0x5b, 0x38, 0x1c, 0x52, 0xed, 0xcf, 0xd7, 0xb2, 0xdd, 0x03, 0xd5, 0x2c, 0x32, + 0xb7, 0x45, 0x36, 0x60, 0x14, 0x1e, 0x0c, 0x50, 0x6f, 0x57, 0xe6, 0x1e, 0xd8, 0xc7, 0x45, 0xe6, + 0x7e, 0x4d, 0x4d, 0x8b, 0x01, 0xfc, 0x33, 0x40, 0xbd, 0x71, 0xc3, 0xe4, 0xc8, 0xcd, 0xd6, 0x88, + 0x5b, 0xac, 0x11, 0xb7, 0xbf, 0x5c, 0x23, 0xcd, 0xe3, 0x02, 0x75, 0x8b, 0x1c, 0x4e, 0xe9, 0xfc, + 0xe5, 0x8f, 0xeb, 0x96, 0xf5, 0xf3, 0xba, 0x65, 0xfd, 0xba, 0x6e, 0x59, 0x1f, 0x7b, 0x7f, 0xd9, + 0x68, 0xeb, 0xbd, 0x48, 0x25, 0xf3, 0x43, 0x86, 0x5c, 0x4f, 0xf6, 0x4c, 0xc3, 0xa7, 0x7f, 0x02, + 0x00, 0x00, 0xff, 0xff, 0xdb, 0xba, 0xba, 0x4f, 0x35, 0x05, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. @@ -538,6 +592,8 @@ type ConfigManagementPluginServiceClient interface { MatchRepository(ctx context.Context, opts ...grpc.CallOption) (ConfigManagementPluginService_MatchRepositoryClient, error) // GetParametersAnnouncement gets a list of parameter announcements for the given app GetParametersAnnouncement(ctx context.Context, opts ...grpc.CallOption) (ConfigManagementPluginService_GetParametersAnnouncementClient, error) + // GetCmpSettings provides configuration information for the plugin + GetCmpSettings(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*CmpSettingsResponse, error) } type configManagementPluginServiceClient struct { @@ -650,6 +706,15 @@ func (x *configManagementPluginServiceGetParametersAnnouncementClient) CloseAndR return m, nil } +func (c *configManagementPluginServiceClient) GetCmpSettings(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*CmpSettingsResponse, error) { + out := new(CmpSettingsResponse) + err := c.cc.Invoke(ctx, "/plugin.ConfigManagementPluginService/GetCmpSettings", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + // ConfigManagementPluginServiceServer is the server API for ConfigManagementPluginService service. type ConfigManagementPluginServiceServer interface { // GenerateManifests receive a stream containing a tgz archive with all required files necessary @@ -659,6 +724,8 @@ type ConfigManagementPluginServiceServer interface { MatchRepository(ConfigManagementPluginService_MatchRepositoryServer) error // GetParametersAnnouncement gets a list of parameter announcements for the given app GetParametersAnnouncement(ConfigManagementPluginService_GetParametersAnnouncementServer) error + // GetCmpSettings provides configuration information for the plugin + GetCmpSettings(context.Context, *emptypb.Empty) (*CmpSettingsResponse, error) } // UnimplementedConfigManagementPluginServiceServer can be embedded to have forward compatible implementations. @@ -674,6 +741,9 @@ func (*UnimplementedConfigManagementPluginServiceServer) MatchRepository(srv Con func (*UnimplementedConfigManagementPluginServiceServer) GetParametersAnnouncement(srv ConfigManagementPluginService_GetParametersAnnouncementServer) error { return status.Errorf(codes.Unimplemented, "method GetParametersAnnouncement not implemented") } +func (*UnimplementedConfigManagementPluginServiceServer) GetCmpSettings(ctx context.Context, req *emptypb.Empty) (*CmpSettingsResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method GetCmpSettings not implemented") +} func RegisterConfigManagementPluginServiceServer(s *grpc.Server, srv ConfigManagementPluginServiceServer) { s.RegisterService(&_ConfigManagementPluginService_serviceDesc, srv) @@ -757,10 +827,33 @@ func (x *configManagementPluginServiceGetParametersAnnouncementServer) Recv() (* return m, nil } +func _ConfigManagementPluginService_GetCmpSettings_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(emptypb.Empty) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(ConfigManagementPluginServiceServer).GetCmpSettings(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/plugin.ConfigManagementPluginService/GetCmpSettings", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(ConfigManagementPluginServiceServer).GetCmpSettings(ctx, req.(*emptypb.Empty)) + } + return interceptor(ctx, in, info, handler) +} + var _ConfigManagementPluginService_serviceDesc = grpc.ServiceDesc{ ServiceName: "plugin.ConfigManagementPluginService", HandlerType: (*ConfigManagementPluginServiceServer)(nil), - Methods: []grpc.MethodDesc{}, + Methods: []grpc.MethodDesc{ + { + MethodName: "GetCmpSettings", + Handler: _ConfigManagementPluginService_GetCmpSettings_Handler, + }, + }, Streams: []grpc.StreamDesc{ { StreamName: "GenerateManifest", @@ -1132,6 +1225,43 @@ func (m *File) MarshalToSizedBuffer(dAtA []byte) (int, error) { return len(dAtA) - i, nil } +func (m *CmpSettingsResponse) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *CmpSettingsResponse) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *CmpSettingsResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if m.ProvideGitCreds { + i-- + if m.ProvideGitCreds { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x8 + } + return len(dAtA) - i, nil +} + func encodeVarintPlugin(dAtA []byte, offset int, v uint64) int { offset -= sovPlugin(v) base := offset @@ -1309,6 +1439,21 @@ func (m *File) Size() (n int) { return n } +func (m *CmpSettingsResponse) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.ProvideGitCreds { + n += 2 + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + func sovPlugin(x uint64) (n int) { return (math_bits.Len64(x|1) + 6) / 7 } @@ -2127,6 +2272,77 @@ func (m *File) Unmarshal(dAtA []byte) error { } return nil } +func (m *CmpSettingsResponse) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowPlugin + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: CmpSettingsResponse: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: CmpSettingsResponse: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field ProvideGitCreds", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowPlugin + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.ProvideGitCreds = bool(v != 0) + default: + iNdEx = preIndex + skippy, err := skipPlugin(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthPlugin + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func skipPlugin(dAtA []byte) (n int, err error) { l := len(dAtA) iNdEx := 0 diff --git a/cmpserver/plugin/config.go b/cmpserver/plugin/config.go index faa718ff9fd2ed..949e212d9cf767 100644 --- a/cmpserver/plugin/config.go +++ b/cmpserver/plugin/config.go @@ -28,6 +28,7 @@ type PluginConfigSpec struct { Discover Discover `json:"discover"` Parameters Parameters `yaml:"parameters"` PreserveFileMode bool `json:"preserveFileMode,omitempty"` + ProvideGitCreds bool `json:"provideGitCreds,omitempty"` } // Discover holds find and fileName diff --git a/cmpserver/plugin/plugin.go b/cmpserver/plugin/plugin.go index f03b73f24dcf64..de8fea91fc20c1 100644 --- a/cmpserver/plugin/plugin.go +++ b/cmpserver/plugin/plugin.go @@ -24,9 +24,11 @@ import ( "github.com/argoproj/argo-cd/v2/util/io/files" "github.com/argoproj/gitops-engine/pkg/utils/kube" - "github.com/cyphar/filepath-securejoin" + securejoin "github.com/cyphar/filepath-securejoin" "github.com/mattn/go-zglob" log "github.com/sirupsen/logrus" + + emptypb "google.golang.org/protobuf/types/known/emptypb" ) // cmpTimeoutBuffer is the amount of time before the request deadline to timeout server-side work. It makes sure there's @@ -438,3 +440,10 @@ func getParametersAnnouncement(ctx context.Context, appDir string, announcements } return repoResponse, nil } + +// GetCmpSettings shares information about the plugin configuration to the reposerver +func (s *Service) GetCmpSettings(ctx context.Context, in *emptypb.Empty) (*apiclient.CmpSettingsResponse, error) { + return &apiclient.CmpSettingsResponse{ + ProvideGitCreds: s.initConstants.PluginConfig.Spec.ProvideGitCreds, + }, nil +} diff --git a/cmpserver/plugin/plugin.proto b/cmpserver/plugin/plugin.proto index 16d4268d5939fc..1ebf7ea16d6138 100644 --- a/cmpserver/plugin/plugin.proto +++ b/cmpserver/plugin/plugin.proto @@ -4,6 +4,7 @@ option go_package = "github.com/argoproj/argo-cd/v2/cmpserver/apiclient"; package plugin; import "github.com/argoproj/argo-cd/v2/reposerver/repository/repository.proto"; +import "google/protobuf/empty.proto"; // AppStreamRequest is the request object used to send the application's // files over a stream. @@ -57,6 +58,10 @@ message File { bytes chunk = 1; } +message CmpSettingsResponse { + bool provideGitCreds = 1; +} + // ConfigManagementPlugin Service service ConfigManagementPluginService { // GenerateManifests receive a stream containing a tgz archive with all required files necessary @@ -71,4 +76,8 @@ service ConfigManagementPluginService { // GetParametersAnnouncement gets a list of parameter announcements for the given app rpc GetParametersAnnouncement(stream AppStreamRequest) returns (ParametersAnnouncementResponse) { } + + // GetCmpSettings provides configuration information for the plugin + rpc GetCmpSettings(google.protobuf.Empty) returns (CmpSettingsResponse) { + } } diff --git a/docs/operator-manual/config-management-plugins.md b/docs/operator-manual/config-management-plugins.md index ee805b71cd604a..a31a7aa69042e5 100644 --- a/docs/operator-manual/config-management-plugins.md +++ b/docs/operator-manual/config-management-plugins.md @@ -110,6 +110,10 @@ spec: # If set to `true` then the plugin receives repository files with original file mode. Dangerous since the repository # might have executable files. Set to true only if you trust the CMP plugin authors. preserveFileMode: false + + # If set to `true` then the plugin can retrieve git credentials from the reposerver during generate. Plugin authors + # should ensure these credentials are appropriately protected during execution + provideGitCreds: false ``` !!! note @@ -489,3 +493,29 @@ spec: args: ["sample args"] preserveFileMode: true ``` + +##### Provide Git Credentials + +By default, the config management plugin is responsible for providing its own credentials to additional Git repositories +that may need to be accessed during manifest generation. The reposerver has these credentials available in its git creds +store, to allow the plugin to access these credentials, you can set `provideGitCreds` to `true` in the plugin spec: + +!!! warning + Make sure you trust the plugin you are using. If you set `provideGitCreds` to `true` then the plugin will receive + credentials used to clone the source Git repository. + +```yaml +apiVersion: argoproj.io/v1alpha1 +kind: ConfigManagementPlugin +metadata: + name: pluginName +spec: + init: + command: ["sample command"] + args: ["sample args"] + generate: + command: ["sample command"] + args: ["sample args"] + provideGitCreds: true +``` + diff --git a/reposerver/repository/repository.go b/reposerver/repository/repository.go index 1498dd81d4f6e0..28644ba16caab5 100644 --- a/reposerver/repository/repository.go +++ b/reposerver/repository/repository.go @@ -40,6 +40,7 @@ import ( "golang.org/x/sync/semaphore" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" + "google.golang.org/protobuf/types/known/emptypb" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" @@ -1381,7 +1382,7 @@ func GenerateManifests(ctx context.Context, appPath, repoRoot, revision string, pluginName = q.ApplicationSource.Plugin.Name } // if pluginName is provided it has to be `-` or just `` if plugin version is empty - targetObjs, err = runConfigManagementPluginSidecars(ctx, appPath, repoRoot, pluginName, env, q, opt.cmpTarDoneCh, opt.cmpTarExcludedGlobs) + targetObjs, err = runConfigManagementPluginSidecars(ctx, appPath, repoRoot, pluginName, env, q, q.Repo.GetGitCreds(gitCredsStore), opt.cmpTarDoneCh, opt.cmpTarExcludedGlobs) if err != nil { err = fmt.Errorf("plugin sidecar failed. %s", err.Error()) } @@ -1882,9 +1883,9 @@ func getPluginParamEnvs(envVars []string, plugin *v1alpha1.ApplicationSourcePlug return env, nil } -func runConfigManagementPluginSidecars(ctx context.Context, appPath, repoPath, pluginName string, envVars *v1alpha1.Env, q *apiclient.ManifestRequest, tarDoneCh chan<- bool, tarExcludedGlobs []string) ([]*unstructured.Unstructured, error) { +func runConfigManagementPluginSidecars(ctx context.Context, appPath, repoPath, pluginName string, envVars *v1alpha1.Env, q *apiclient.ManifestRequest, creds git.Creds, tarDoneCh chan<- bool, tarExcludedGlobs []string) ([]*unstructured.Unstructured, error) { // compute variables. - env, err := getPluginEnvs(envVars, q) + env, err := getPluginEnvs(envVars, q, creds) if err != nil { return nil, err } @@ -1896,6 +1897,22 @@ func runConfigManagementPluginSidecars(ctx context.Context, appPath, repoPath, p } defer io.Close(conn) + cmpSettingsResponse, err := cmpClient.GetCmpSettings(ctx, &emptypb.Empty{}) + if err != nil { + return nil, err + } + + if cmpSettingsResponse.ProvideGitCreds { + if creds != nil { + closer, environ, err := creds.Environ() + if err != nil { + return nil, err + } + defer func() { _ = closer.Close() }() + env = append(env, environ...) + } + } + // generate manifests using commands provided in plugin config file in detected cmp-server sidecar cmpManifests, err := generateManifestsCMP(ctx, appPath, repoPath, env, cmpClient, tarDoneCh, tarExcludedGlobs) if err != nil { diff --git a/test/e2e/custom_tool_test.go b/test/e2e/custom_tool_test.go index 7370fb5478ad3b..94a1d93afeb751 100644 --- a/test/e2e/custom_tool_test.go +++ b/test/e2e/custom_tool_test.go @@ -39,7 +39,12 @@ func TestCustomToolWithGitCreds(t *testing.T) { Then(). Expect(OperationPhaseIs(OperationSucceeded)). Expect(SyncStatusIs(SyncStatusCodeSynced)). - Expect(HealthIs(health.HealthStatusHealthy)) + Expect(HealthIs(health.HealthStatusHealthy)). + And(func(app *Application) { + output, err := Run("", "kubectl", "-n", DeploymentNamespace(), "get", "cm", ctx.AppName(), "-o", "jsonpath={.metadata.annotations.GitAskpass}") + assert.NoError(t, err) + assert.Equal(t, "argocd", output) + }) } // make sure we can echo back the Git creds @@ -65,6 +70,11 @@ func TestCustomToolWithGitCredsTemplate(t *testing.T) { Expect(OperationPhaseIs(OperationSucceeded)). Expect(SyncStatusIs(SyncStatusCodeSynced)). Expect(HealthIs(health.HealthStatusHealthy)). + And(func(app *Application) { + output, err := Run("", "kubectl", "-n", DeploymentNamespace(), "get", "cm", ctx.AppName(), "-o", "jsonpath={.metadata.annotations.GitAskpass}") + assert.NoError(t, err) + assert.Equal(t, "argocd", output) + }). And(func(app *Application) { output, err := Run("", "kubectl", "-n", DeploymentNamespace(), "get", "cm", ctx.AppName(), "-o", "jsonpath={.metadata.annotations.GitUsername}") assert.NoError(t, err) @@ -77,6 +87,42 @@ func TestCustomToolWithGitCredsTemplate(t *testing.T) { }) } +// make sure we can read the Git creds stored in a temporary file +func TestCustomToolWithSSHGitCreds(t *testing.T) { + ctx := Given(t) + // path does not matter, we ignore it + ctx. + And(func() { + go startCMPServer(t, "./testdata/cmp-gitsshcreds") + time.Sleep(1 * time.Second) + t.Setenv("ARGOCD_BINARY_NAME", "argocd") + }). + CustomCACertAdded(). + // add the private repo with ssh credentials + CustomSSHKnownHostsAdded(). + SSHRepoURLAdded(true). + RepoURLType(RepoURLTypeSSH). + Path("cmp-gitsshcreds"). + When(). + CreateApp(). + Sync(). + Sync(). + Then(). + Expect(OperationPhaseIs(OperationSucceeded)). + Expect(SyncStatusIs(SyncStatusCodeSynced)). + Expect(HealthIs(health.HealthStatusHealthy)). + And(func(app *Application) { + output, err := Run("", "kubectl", "-n", DeploymentNamespace(), "get", "cm", Name(), "-o", "jsonpath={.metadata.annotations.GitSSHCommand}") + assert.NoError(t, err) + assert.Regexp(t, `-i [^ ]+`, output, "test plugin expects $GIT_SSH_COMMAND to contain the option '-i '") + }). + And(func(app *Application) { + output, err := Run("", "kubectl", "-n", DeploymentNamespace(), "get", "cm", Name(), "-o", "jsonpath={.metadata.annotations.GitSSHCredsFileSHA}") + assert.NoError(t, err) + assert.Regexp(t, `\w+\s+[\/\w]+`, output, "git ssh credentials file should be able to be read, hashing the contents") + }) +} + // make sure we can echo back the env func TestCustomToolWithEnv(t *testing.T) { ctx := Given(t) diff --git a/test/e2e/testdata/cmp-gitcreds/plugin.yaml b/test/e2e/testdata/cmp-gitcreds/plugin.yaml index 024804f495cc94..a256ce34de1f5a 100644 --- a/test/e2e/testdata/cmp-gitcreds/plugin.yaml +++ b/test/e2e/testdata/cmp-gitcreds/plugin.yaml @@ -8,3 +8,4 @@ spec: command: [sh, -c, 'echo "{\"kind\": \"ConfigMap\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"$ARGOCD_APP_NAME\", \"namespace\": \"$ARGOCD_APP_NAMESPACE\", \"annotations\": {\"GitAskpass\": \"$GIT_ASKPASS\"}}}"'] discover: fileName: "subdir/s*.yaml" + provideGitCreds: true diff --git a/test/e2e/testdata/cmp-gitcredstemplate/plugin.yaml b/test/e2e/testdata/cmp-gitcredstemplate/plugin.yaml index e57ee747bd0789..18962b15b8b8d3 100644 --- a/test/e2e/testdata/cmp-gitcredstemplate/plugin.yaml +++ b/test/e2e/testdata/cmp-gitcredstemplate/plugin.yaml @@ -8,3 +8,4 @@ spec: command: [sh, -c, 'echo "{\"kind\": \"ConfigMap\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"$ARGOCD_APP_NAME\", \"namespace\": \"$ARGOCD_APP_NAMESPACE\", \"annotations\": {\"GitAskpass\": \"$GIT_ASKPASS\", \"GitUsername\": \"$GIT_USERNAME\", \"GitPassword\": \"$GIT_PASSWORD\"}}}"'] discover: fileName: "subdir/s*.yaml" + provideGitCreds: true \ No newline at end of file diff --git a/test/e2e/testdata/cmp-gitsshcreds/generate.sh b/test/e2e/testdata/cmp-gitsshcreds/generate.sh new file mode 100644 index 00000000000000..0d6257f02478a1 --- /dev/null +++ b/test/e2e/testdata/cmp-gitsshcreds/generate.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +FILE=$(echo "$GIT_SSH_COMMAND" | grep -oP '\-i \K[/\w]+') +GIT_SSH_CRED_FILE_SHA=$(sha256sum ${FILE}) +echo "{\"kind\": \"ConfigMap\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"$ARGOCD_APP_NAME\", \"namespace\": \"$ARGOCD_APP_NAMESPACE\", \"annotations\": {\"GitSSHCommand\":\"$GIT_SSH_COMMAND\", \"GitSSHCredsFileSHA\":\"$GIT_SSH_CRED_FILE_SHA\"}}}" \ No newline at end of file diff --git a/test/e2e/testdata/cmp-gitsshcreds/plugin.yaml b/test/e2e/testdata/cmp-gitsshcreds/plugin.yaml new file mode 100644 index 00000000000000..4ea727852426d3 --- /dev/null +++ b/test/e2e/testdata/cmp-gitsshcreds/plugin.yaml @@ -0,0 +1,11 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ConfigManagementPlugin +metadata: + name: cmp-gitcredstemplate +spec: + version: v1.0 + generate: + command: ["sh", "generate.sh"] + discover: + fileName: "subdir/s*.yaml" + provideGitCreds: true \ No newline at end of file diff --git a/test/e2e/testdata/cmp-gitsshcreds/subdir/special.yaml b/test/e2e/testdata/cmp-gitsshcreds/subdir/special.yaml new file mode 100644 index 00000000000000..e69de29bb2d1d6